The National Security Agency (NSA) and National Institute of Standards and Technology (NIST) have published Specification for the Extensible Configuration Checklist Description Format (XCCDF) for public review.

The XCCDF specification is "designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices."

The Checklist Description Format has been developed in response to the Cyber Security Research and Development Act of 2002 which "tasks the National Institute of Standards and Technology (NIST) to 'develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government.' Such checklists, when combined with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools, can markedly reduce the vulnerability exposure of an organization."

The specification document released by NIST and NSA defines the data model and XML representation for the Extensible Configuration Checklist Description Format (XCCDF). An XCCDF document is "a structured
collection of security configuration rules for some set of target systems. The model and its XML
representation are intended to be platform-independent and portable, to foster broad adoption and sharing of rules. The processing discipline of the format requires, for some uses, a service layer that can collect and store system information and perform simple policy-neutral tests against the system information."

XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's Open Vulnerability Assessment Language (OVAL). For document and reference metadata, XCCDF uses the Dublin Core Metadata element set."

The XCCDF specification will be of special interest to government and industry security analysts, and industry security management product developers. NIST and NSA welcome feedback from the public to improve the XCCDF specification.

Acknowledgements: [to] "the following individuals who contributed to the initial definition of XCCDF and its initial development: David Proulx, Mike Michinikov, Andrew Buttner, Todd Wittbold, Adam Compton, George Jones, Chris Calabrese, John Banghart, Murugiah Souppaya, John Wack, Trent Pitsenbarger, and Robert Stafford. David Waltermire of the Center for Internet Security was instrumental in supporting the development of XCCDF; he contributed many important concepts and constructs, performed a great deal of proofreading on this specification document, and provided critical input based on implementation experience. Ryan Wilson of Georgia Institute of Technology also made substantial contributions."

From the Announcement

To make it easier to measure the security of an information technology
product or system, researchers at the National Institute of Standards
and Technology (NIST) and the National Security Agency (NSA) have
developed a common specification language — Extensible Configuration
Checklist Description Format (XCCDF) — for writing security checklists
and related documents.

Increasingly, computers and other information technology products are
vulnerable to multiple threats including viruses, worms and identity
or information theft. One basic, yet effective, security tool is the
security configuration checklist — a series of instructions for
configuring an information technology (IT) product to a baseline or
benchmark level of security. Configuring a system into conformance
with a benchmark or other security specification is a time-consuming
and very technical task. Automated tools are available to help system
administrators determine a system's conformance and recommend
corrective measures. However, most of these tools are designed for a
particular IT product or system.

XCCDF is an XML-based format that is flexible, vendor-neutral and
suited for a wide variety of checklist applications including
measuring conformance of an IT system to security benchmarks and
generating a record of a benchmark test. XML is a language — analogous
to the HTML codes used to format web pages — that describes information
in a standard way to allow computers to exchange information and act
on it.

"XCCDF's common format will help security professionals, vendors and
system auditors to more quickly exchange information and improve
automation of security testing and configuration checking," said John
Wack, a researcher in NIST's Computer Security Division.

XCCDF Specification Overview

Motivation: "XCCDF is designed to enable easier, more uniform creation of security benchmarks, and allow benchmarks to be used with a variety of commercial and open tools. The motivation for this is improvement of security for IT systems, including the Internet, by better application of known security practices and configuration settings."

Use cases:

An academic group produces a benchmark for secure configuration of a particular
server operating system version. A government organization issues a set of rules
extending the academic benchmark to meet more stringent user authorization
criteria imposed by statute. A medical enterprise downloads both the academic
benchmark and the government extension, tailors the combination to fit their
internal security policy, and applies an enterprise-wide audit using a commercial
security audit tool. Reports output by the tool include remediative measures
which the medical enterprise IT staff use to bring their systems into full internal
policy compliance.

A federally-funded lab issues a security advisory about a new Internet worm. In
addition to a prose description of the worm's attack vector, they include a set of
short benchmarks in a standard format that assess vulnerability to the worm for
various operating system platforms. Organizations all over the world pick up the
advisory, and use installed tools that support the standard format to check their
status and fix vulnerable systems.

An industry consortium wants to produce a security checklist for a popular
commercial server. The core security settings are the same for all OS platforms
on which the server runs, but a few settings are OS-specific. The consortium can
craft one checklist in a standard format for the core settings, and then write
several OS-specific ones that incorporate the core settings by reference. Users
download the core checklist and the OS-specific checklists that apply to their
installations, and run a checking tool to score their compliance with the checklist.

Requirements:

Security and domain experts create a benchmark, which is an organized collection
of rules about a particular kind of system or platform. To support this use,
XCCDF must be an open, standardized format, amenable to generation and
editing with a variety of tools. It must be expressive enough to represent complex
conditions and relationships about the systems to be benchmarked, and it must
also be able to incorporate descriptive material and remediative measures.
(XCCDF benchmarks may include specification of the hardware and/or software
platforms to which they apply. The specification should be concrete and granular
enough for compliance checking tools to detect whether a rule is suited for a
target platform.)

Auditors and system administrators may employ tailoring tools to customize a
benchmark for their local environment or policies. An XCCDF document must
include the structure and interrogative text needed to guide the user in tailoring a
benchmark, and it must be able to hold or incorporate the user's tailoring
responses.

In addition to supporting tailoring and security audits, an XCCDF document
should be structured to foster generation of hardcopy benchmark guides.

The structure of a XCCDF document should support transformation into HTML,
for posting the benchmark as a web page.

An XCCDF document should be transformable into (other) XML formats, to
promote portability and interoperability.

The primary use for an XCCDF benchmark is to drive automated security
benchmarking tools. Such tools should accept one or more XCCDF documents,
and supporting system test definitions, and check whether their rules are satisfied
by some particular target system. The XCCDF document should support
generation of a compliance report, including a weighted compliance score.

In addition to a benchmark report, some benchmarking tools may be capable of
generating scripts or procedures for helping to bring a system into compliance.
XCCDF must be able to hold or encapsulate the remediation scripts or texts.

XCCDF documents might also be used in vulnerability scanners, to test whether a
target system is vulnerable to a particular kind of attack. For this purpose, the
XCCDF document would play the role of a vulnerability alert, but with the ability
to both describe the problem and drive automated verification of its presence. [from the spec Introduction]

About National Security Agency (NSA) and National Institute of Standards and Technology (NIST)

National Security Agency: "The National Security Agency/Central Security Service is America's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information. A high technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government. NSA conducts one of the U.S. government's leading research and development (R&D) programs. Some of the Agency's R&D projects have significantly advanced the state of the art in the scientific and business worlds...

NSA's early interest in cryptanalytic research led to the first large-scale computer and the first solid-state computer, predecessors to the modern computer. NSA pioneered efforts in flexible storage capabilities, which led to the development of the tape cassette. NSA also made ground-breaking developments in semiconductor technology and remains a world leader in many technological fields. NSA employs the country's premier cryptologists. It is said to be the largest employer of mathematicians in the United States and perhaps the world. Its mathematicians contribute directly to the two missions of the Agency: designing cipher systems that will protect the integrity of U.S. information systems and searching for weaknesses in adversaries' systems and codes..."